Monitoring Network Traffic to Detect Stepping-Stone Intrusion

Transcription

1 Montorng etork Traffc to Detect Steng-Stone Intruson Janhua Yang, Byong Lee, Stehen S. H. Huang Deartment of Math and Comuter Scence, Bennett College E-mal: {jhyang, blee Deartment of Comuter Scence, Unversty of Houston Abstract Most netork ntruders tend to use steng-stones to attack or to nvade other hosts to reduce the rsks of beng dscovered. There have been many aroaches that ere roosed to detect steng-stone snce 995. One of those aroaches roosed by A. Blum detects steng-stone by checkng f the dfference beteen the number of the send ackets of an ncomng connecton and the one of an outgong connecton s bounded. One eakness of ths method s n resstng ntruders evason, such as chaff erturbaton. In ths aer, e roose a method based on random alk theory to detect steng-stone ntruson. Our theoretcal analyss shos that the roosed method s more effectve than Blum s aroach n terms of resstng ntruders chaff erturbaton.. Introducton Most ntruders tend to nvade a comuter host by launchng ther attacks through a chan of comromsed comuters hch are called steng-stones []. The attackers are called steng-stone ntruders. One obvous reason hy ntruders use steng-stone s that t makes them hard to be caught. Detectng a steng-stone ntruson s dffcult because of the nature of TC/I rotocol, n hch a comuter n a TC/I sesson s vsble only to ts mmedate donstream and ustream neghbors, but not to anyone else. That s, f an ntruder uses a chan of more than one comuter to nvade, only the comuter havng a drect TC/I connecton to the vctm host s vsble and the ntruder s dentty ould be hdden. There are many aroaches develoed to detect steng-stone ntruson. They are dvded nto to categores: assve and actve aroaches. The assve aroaches use the nformaton gathered from hosts and netorks to detect a steng-stone ntruson. One advantage of the assve aroach s that t does not nterfere th the sessons. Ths ork s suorted by SF BC-Allance grant: Contract number #CS Its dsadvantage s that t takes more comutatons than the actve aroach does because t fnds a steng-stone ar by checkng all the ncomng and outgong connectons of a host. Most aroaches roosed to detect steng-stone ntruson, such as Content-based Thumbrnt [], Tme-based Aroach [], Devaton-based Aroach [3], Round-tr Tme Aroach [4, 5], and acket umber Dfference-based Aroach [6, 7], are classfed as assve category. Stanford-Chen and Heberlen roosed the contentbased thumbrnt method that dentfes ntruders by comarng dfferent sessons for suggestve smlartes of connecton chans []. The fatal roblem of ths method s that t cannot be aled to encryted sessons because ther real contents are not avalable and therefore unable to make thumbrnt. Zhang and axson [] roosed the tme-based aroach that can be used to detect stengstones or to trace ntruson even f a sesson s encryted. Hoever, there are three major roblems n the tme-based aroach. Frst, t can be easly manulated by ntruders. Second, the method reures that the ackets of connectons have recse and synchronzed tmestams n order to correlate them roerly. Ths makes dffcult or mractcal to correlate the measurements those ere taken at dfferent onts n the netork. Thrd, Zhang and axson also ere aare of the fact that a large number of legtmate steng-stone users routnely traverse a netork for a varety of reasons. Yoda and Etoh [3] roosed the devaton-based aroach that s a netork-based correlaton scheme. Ths method s based on the observaton that the devaton for to unrelated connectons s large enough to be dstngushed from the devaton of those connectons thn the same connecton chan. In addton to the roblems the tme-based aroach has, ths method has other roblems, such as not effcent and not alcable to comressed sesson and to the added ayload. Yung [5] roosed the round-tr tme (RTT aroach that detects steng-stone ntruson by estmatng the donstream length usng the ga beteen a reuest and ts resonse, and the ga beteen the reuest and ts acknoledgement. The roblem of the RTT aroach s that t makes naccurate detecton because t cannot comute the to gas accurately.

2 Blum [7] roosed the acket number dfference-based (D-based aroach that detects steng-stones by checkng the dfference of Send acket numbers beteen to connectons. Ths method s based on the dea that f the to connectons are relayed, the dfference should be bounded; otherse, t should not. Ths method can resst ntruders evasons such as tme jtterng and chaff erturbaton. D. Donoho et al. [6] sho for the frst tme that there are theoretcal lmts on the ablty of attackers to dsguse ther traffcs usng evasons durng a long nteractve sesson. The major roblem th the D-based aroach s due to the fact that the uer bound on the number of ackets reured to montor s large, hle the loer bound on the amount of chaff an attacker needs to evade hs detecton s small. Ths fact makes Blum s method very eak n resstng to ntruders chaff evason. In ths aer, e roose a novel aroach that exlots the otmal numbers of TC reuests and resonses to detect steng-stones. A random alk rocess can model the dfferences beteen the number of reuests and the number of resonses. A theoretcal analyss n ths aer shos that the erformance of our aroach s better than the Blum s aroach n terms of the number of ackets to be montored under the same confdence th the assumton that the sesson s manulated by tme jtterng or chaff erturbaton. The rest of ths aer s arranged as follong. In Secton, e resent the roblem statement. Secton 3 resents the steng-stone detecton algorthm. In secton 4, e analyze the erformance of ths algorthm, and n Secton 5, e resent the result of comarsons th Dbased aroach. Fnally, n Secton 6, e summarze the ork and dscuss about future ork.. roblem Statement The basc dea of detectng a host or a netork of comuters used as a steng-stone s to comare an ncomng connecton th one of the outgong connectons. If they are relayed, e call them a steng-stone ar; otherse, a normal ar. As Fgure shos, host h has one ncomng connecton C and one outgong connecton C, hle each connecton has one reuest stream and one resonse stream. If e make the three assumtons belo, then n a erod of tme, the number of ackets montored n each connecton should be close to be eual for any to connectons that are relayed: Each acket that aears n one connecton must aear n ts relayed one; An ntruder could hold any acket at any lace, but the holdng tme has an uer bound; 3 An ntruder could nsert meanngless ackets nto an nteractve sesson at any tme, but the nsertng rate s bounded. The assumton means that there are no acket dros, combnatons, or decomostons. It guarantees that the number of the ackets n an ncomng connecton must be greater than or eual to the number of the ackets n the relayed outgong connecton. If to connectons are relayed, e can at least fnd a relatonsh beteen the number of the reuests of the outgong connecton and the number of resonses of the ncomng connecton. The roblem of detectng steng-stones becomes the roblem of fndng a correlaton beteen the number of reuests and the number of resonses. The assumton comes from the fact that each user has a tme tolerance of usng an nteractve sesson; and the assumton 3 ndcates that the rate n hch a user can nsert ackets nto an nteractve sesson s bounded. C ( S ( E h C ( E From the above three assumtons, e kno that f to connectons are relayed, there should be a suggestve relatonsh beteen the number of reuests and resonses. We can use the exstence of ths relatonsh to determne hether to connectons are n the same chan. We clam that t s ossble to detect steng-stone by comarng the number of Sends n an outgong connecton th the number of Echoes n an ustream connecton. In other ords, t s ossble to detect steng-stone ntruson by montorng netork traffc. 3. Steng-Stone Detecton Algorthm 3. Basc Idea to Detect Steng-Stone ( S Fgure. Illustraton of connectons and streams of a host We montor an nteractve TC sesson that s establshed usng OenSSH for a erod of tme, cature all the Send and Echo ackets, and ut them n to seuences, S th n ackets and E th m ackets, resectvely. In an nteractve sesson, the user ll nut a command by tyng a seuence of letters, and then execute the command at the server sde. The executon result ll return to the clent sde n terms of ackets. In general, hen a user tyes one letter (keystroke t ll be echoed by a resonse acket. We call them sngle letter Send and Echo, resectvely. If e flter out the non-sngle letter ackets and kee only the sngle letter Sends and Echoes, then the number of the Sends n an outgong connecton should be

3 close to the number of the Echoes n an ncomng connecton f the to connectons are relayed. ( We use to denote the number of reuests of the (, s ( outgong connecton, and use to denote the number (, e of resonses of the ncomng connecton, and use to ( ( denote (, e, the dfference beteen the to numbers. For relayed connectons, should vary but close to (, s zero. Ideally, t should be zero. Hoever, there are to reasons hy may not be exactly zero. Frst, multle Sends or Echoes may be combned to one acket durng the roagaton. And also due to the nature of the TC/I rotocol, e may not be able to dentfy all sngle letter ackets. Second, e cannot comletely remove the ackets of command executon result by checkng acket sze. Hoever, f the to connectons are relayed, then should be close to zero th a hgh robablty. If to relayed connectons are manulated, should be bounded thn a range [ Ω, l Ω ] based on the assumtons and 3. For tme jtterng evason, e assume u that f a acket s held, a acket holdng tme cannot be larger than Η and the number of ackets that can be held n each connecton cannot be larger than Ω Η. For chaff erturbaton, e assume that the number of ackets that can be ntroduced n a unt tme for each connecton cannot be larger than r. Assumng that e collect the ackets n unts of tme, should be bounded thn a range [ Ω, Ω ] for to relayed connectons, here Ω * r. o, the roblem of detectng a steng-stone ar s reduced to the task of judgng f the dfferences of the number of sngle letter ackets beteen to connectons are bounded,.e. for a steng-stone ar, the follong relatonsh should hold: Ω ( Ω 3. Steng-Stone Detecton Algorthm To reduce the false alarms and msdetectons n detectng steng-stone ar, e check the condton ( every tme hen a acket s receved. If e montor a total of ackets, the condton ( ll be checked tmes. We roose the follong algorthm to detect steng-stones. We call ths algorthm Detectng Steng-stone Evason (. ( ( ( S, E, Ω, ( ( (, e (, s 0; fo r j : ( ( f j S (, s ( ( f j E (, e + + ; + + ; ( ( (, e (, s ; f < Ω o r > Ω return orm al Endfor return Steng Stone In ths algorthm, e cature and check u to ackets on to connectons to see f formula ( s satsfed. If there s one tme that the formula ( s not satsfed, e conclude that there s no steng-stone ar. The concluson about the exstence of a steng-stone should be made only after all the connectons are checked. If ( s satsfed thn tmes of checkng, e conclude that there s a steng-stone th a very hgh robablty. It s not necessary to check f formula ( holds for all the connectons. The larger the checkng tmes s, the hgher the confdence of the. For a gven confdence, hch s also called false ostve robablty, hat ould be an otmal number of ackets to be montored on the to connectons? 4. erformance Analyss We assume that a collected acket s a Send th robablty, and an Echo th robablty. The dfference beteen the number of the Sends of a stream and the Echoes of another stream can be modeled as a random alk rocess th ndeendent jums Z, Z,, Z,, here s a ostve nteger. If a catured acket s a Send, the dfference ll make a jum Z -, otherse, a jum Z ; there s no other choce. We have the follong euatons. rob( Z rob( Z. ( + Table. otatons used n the analyss of random alks C C False negatve robablty False ostve robablty A gven false negatve robablty A gven false ostve robablty We evaluate the erformance of the algorthm by comutng the smallest for a gven false ostve detecton robablty or false negatve detecton robablty.

5 In order to comare th Blum s, e assume the euaton Ω s satsfed. Let B and be the mnmum number of ackets reured to montor n order to get a gven false ostve robablty by the and the resectvely. Our urose s to comare B and. The feer number reresents the better erformance. The numbers B and can be comuted by the follong formula: B ( + log (9 log[ ( cos ] log cos Fgure. Comarson of number of ackets montored th Blum s method under 0. (0 We cannot comare the to numbers drectly by usng Euatons (9 and (0 because there s no guarantee that one of them s absolutely larger than the other. Fgure and Fgure 3 sho the results of comarsons beteen B and th varyng here the Y axs uses the logarthmc scale, under fxed values 0. and resectvely. Fgure shos that has better erformance than only hen s under eght. When s larger than eght, outerforms. Fgure and Fgure 3 sho that hen becomes smaller, erforms better than Blum s does. Based on the comarsons shon n Fgure and Fgure 3, e conclude that under a hgh confdence (lo false ostve robablty thout chaff erturbaton, outerforms because needs feer ackets to be montored than does 5. Comarson beteen and the Best Exstng Algorthm th Chaff erturbaton When a sesson s manulated th a chaff erturbaton, Blum clamed that hs method stll can detect steng-stone, but th a condton that no more than x ackets can be nserted for every 8(x+ ackets. Otherse, hs method ould not ork. We evaluate the erformance of our by comarng t th Blum s agan. We assume that e nsert x ackets nto a send stream for every x send and aroxmate x echo ackets. Ths means / x/(x + x / and the nsertng rate s aroxmately 50%, hch s much bgger than Blum s allos. From euaton (6, e obtan the least number of Fgure 3. Comarson of number of ackets montored th Blum s method under ackets montored by th a gven. log[ ( cos ( o(0.5, + o(, ] log(0.998 cos ( Accordng to [7], the least number of ackets B montored by th a gven can be obtaned by the euaton (: B 8( + log ( Fgure 4 and Fgure 5 sho the results of comarsons beteen and th chaff erturbaton. Fgure 4 shos that outerforms hen the detecton boundary s less than 50 th gven s 0.. Fgure 5 shos the results of comarsons hen the false ostve robablty s decreased to Fgure 4 and Fgure 5 sho that the loer the false ostve robablty, the

An Alternatve Way to Measure Prvate Equty Performance Peter Todd Parlux Investment Technology LLC Summary Internal Rate of Return (IRR) s probably the most common way to measure the performance of prvate

Inequalty and The Accountng Perod Quentn Wodon and Shlomo Ytzha World Ban and Hebrew Unversty September Abstract Income nequalty typcally declnes wth the length of tme taen nto account for measurement.

The Greedy Method Introducton We have completed data structures. We now are gong to look at algorthm desgn methods. Often we are lookng at optmzaton problems whose performance s exponental. For an optmzaton

REVIEW OF RISK MANAGEMENT CONCEPTS LOSS DISTRIBUTIONS AND INSURANCE Loss and nsurance: When someone s subject to the rsk of ncurrng a fnancal loss, the loss s generally modeled usng a random varable or

Proceedngs of the World Congress on Engneerng and Comuter Scence 2008 WCECS 2008, October 22-24, 2008, San Francsco, USA A Predcton System Based on Fuzzy Logc Vadeh.V,Monca.S, Mohamed Shek Safeer.S, Deeka.M

What s Canddate Samplng Say we have a multclass or mult label problem where each tranng example ( x, T ) conssts of a context x a small (mult)set of target classes T out of a large unverse L of possble

NCSS Statstcal Softare Chapter 458 Meta-Analyss of Hazard Ratos Introducton Ths module performs a meta-analyss on a set of to-group, tme to event (survval), studes n hch some data may be censored. These

Secton 5.4 Annutes, Present Value, and Amortzaton Present Value In Secton 5.2, we saw that the present value of A dollars at nterest rate per perod for n perods s the amount that must be deposted today

Module LOSSLESS IMAGE COMPRESSION SYSTEMS Lesson 3 Lossless Compresson: Huffman Codng Instructonal Objectves At the end of ths lesson, the students should be able to:. Defne and measure source entropy..

4. GCD 1 The greatest common dvsor of two ntegers a and b (not both zero) s the largest nteger whch s a common factor of both a and b. We denote ths number by gcd(a, b), or smply (a, b) when there s no

On the Optmal Control of a Cascade of Hydro-Electrc Power Statons M.C.M. Guedes a, A.F. Rbero a, G.V. Smrnov b and S. Vlela c a Department of Mathematcs, School of Scences, Unversty of Porto, Portugal;

Tuton Fee Loan applcaton notes for new part-tme EU students 2012/13 About these notes These notes should be read along wth your Tuton Fee Loan applcaton form. The notes are splt nto three parts: Part 1

2.8 Usng Seres to Analyze Fnancal Stuatons: Present Value In the prevous secton, you learned how to calculate the amount, or future value, of an ordnary smple annuty. The amount s the sum of the accumulated